proxy_role/tasks/whonix_host.yml
2024-01-09 15:35:38 +00:00

304 lines
9.0 KiB
YAML

# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy whonix_host.yml"
debug:
verbosity: 1
msg: "proxy whonix_host.yml BOX_WHONIX_PROXY_HOST={{BOX_WHONIX_PROXY_HOST}}"
- name: chmod 664 /etc/libvirt/qemu/*xml
shell: |
chmod 664 /etc/libvirt/qemu/*xml || true
- name: /etc/libvirt/hooks/network
blockinfile:
dest: /etc/libvirt/hooks/network
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml"
mode: 0775
block: |
[ ! -f /usr/local/sbin/proxy_libvirt_hook_network.bash ] || \
/usr/local/sbin/proxy_libvirt_hook_network.bash
when: false # now in overlay
# FixMe: Whats the right consitonal for starting polipo
#- block:
# to be run on the host to use the gateway as our proxy using ports via iptables
# The proxy setup to be run are a way of centralizing tasks from other roles be run on the gateway.
- stat: path=/etc/polipo/config
register: polipo_conf
- name: PRIV_TOR_TYPE in ['client']
assert:
# drive from {{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}
that:
- "'{{PROXY_WHONIX_HTTPS_PORT}}' != ''"
- "'{{PROXY_WHONIX_SOCKS_PORT}}' != ''"
- "'{{PROXY_WHONIX_SOCKS_USER}}' != ''"
- "'{{PROXY_WHONIX_SOCKS_PASS}}' != ''"
- "'{{PROXY_WHONIX_DNS_PORT}}' != ''"
- "'{{PROXY_WHONIX_TRANS_PORT}}' != ''"
- "'{{PROXY_WHONIX_BUKU_PORT}}' != ''"
- name: PRIV_TOR_TYPE in ['client']
set_fact:
# {{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}
PROXY_POLIPO_SOCKSHOST: "{{PROXY_WHONIX_SOCKS_HOST}}"
PROXY_POLIPO_SOCKSPORT: "{{PROXY_WHONIX_SOCKS_PORT}}"
PROXY_POLIPO_SOCKSUSER: "{{PROXY_WHONIX_SOCKS_USER}}"
PROXY_POLIPO_SOCKSPASS: "{{PROXY_WHONIX_SOCKS_PASS}}"
PROXY_POLIPO_SOCKSTYPE: "socks5"
PRIV_FIREWALL_SET: whonix
HARDEN_DNS_PORT: "{{PROXY_DNS_PORT}}"
when:
- BOX_WHONIX_PROXY_HOST != ""
- name: "/etc/modules-load.d/firewall.conf"
blockinfile:
dest: /etc/modules-load.d/firewall.conf
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml"
block: |
ip_tables
ipt_REJECT
iptable_filter
iptable_nat
xt_LOG
xt_conntrack
xt_nat
xt_owner
xt_state
xt_tcpudp
nf_conntrack
nf_defrag_ipv4
# 5.15 nf_log_common
nf_log_ipv4
nf_nat
#5 nf_nat_ipv4
#5 nf_reject_ipv4
#5 x_tables
xt_MASQUERADE
nft_masq
iptable_mangle
bridge
- name: template /etc/firewall.conf
template:
force: no
src: "etc/firewall-tor_{{PRIV_FIREWALL_SET}}.conf"
dest: /etc/firewall.conf
- name: /etc/polipo/config
lineinfile:
dest: /etc/polipo/config
regexp: '^#* *{{item.name}}.*'
line: "{{item.name}}={{item.val}}"
state: present
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
mode: 0644
create: yes
with_items:
- { name: daemonise, val: false }
- { name: diskCacheRoot, val: "" }
- { name: disableLocalInterface, val: true }
- { name: proxyAddress, val: 127.0.0.1 }
- { name: proxyName, val: 127.0.0.1 }
- { name: proxyPort, val: "{{ PROXY_POLIPO_PROXYPORT }}" }
- { name: allowedClients, val: 127.0.0.1 }
- { name: socksParentProxy, val: "{{PROXY_POLIPO_SOCKSHOST}}:{{PROXY_POLIPO_SOCKSPORT}}" }
- { name: socksProxyType, val: "{{PROXY_POLIPO_SOCKSTYPE}}" }
# - { name: socksUserName, val: "foo" } # not Debian - unenforced?
- { name: disableVia, val: true }
# can be a directory
- { name: forbiddenFile, val: /etc/polipo/forbidden }
# maybe the same directory forbids the same tunnelling
- { name: forbiddenTunnelsFile, val: /etc/polipo/forbidden }
- { name: allowedPorts, val: 1-65535 }
- { name: tunnelAllowedPorts, val: 1-65535 }
- { name: logFile, val: "{{ PROXY_POLIPO_LOG }}" }
- { name: logSyslog, val: false }
- { name: logLevel, val: 455 }
# logLevel=0x107
when:
- not ansible_check_mode
- polipo_conf.stat.exists == true
# FixMe: make logLevel high but make the log file root readable only
- name: chmod /var/log/polipo.log
file:
state: file
path: "{{ PROXY_POLIPO_LOG }}"
mode: 0640
owner: "{{ PROXY_POLIPO_OWNER }}"
group: "{{ PROXY_POLIPO_GROUP }}"
when:
- not ansible_check_mode
# FixMe: may not have been started
ignore_errors: true
#- name: virsh list
# command: virsh list
# register: virsh_list
# when:
# - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
- block:
- name: polipo Whonix-Gateway
shell: |
ifconfig | grep virbr || exit 0
# FixMe: which is gateway
grep '^allowedClients=.*/' /etc/polipo/config && \
sed -e 's/allowedClients=.*/allowedClients=127.0.0.1/' -i /etc/polipo/config || \
echo 'allowedClients=127.0.0.1' >> /etc/polipo/config
ifconfig | grep br | grep inet | while read inet ip rest ; do
sed -e "s/allowedClients=.*/&,$ip/" -i /etc/polipo/config
done
. /usr/local/etc/local.d/local.bash
proxy_rc_service polipo restart
when:
- false
- ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
# was in hostvms libvirt.yml
- block:
- name: /etc/libvirt/hooks/network
lineinfile:
path: "/etc/libvirt/hooks/network"
create: yes
mode: 0775
insertafter: BOF
line: "#!/bin/sh"
regexp: "#./bin/sh"
when: false # now in overlay
- name: /usr/local/bin/proxy_libvirt_hook_network.bash
blockinfile:
dest: /etc/libvirt/hooks/network
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml"
mode: 0775
block: |
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
# hung processes will hang virsh list
[ ! -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || \
timeout --kill-after=10 10 /usr/local/bin/proxy_libvirt_hook_network.bash $*
[ $? -ne 0 ] && \
logger $0 WARN: /usr/local/bin/proxy_libvirt_hook_network.bash retval=$?
exit 0
when: false # now in overlay
- name: proxy_libvirt_no_autostart
shell: |
/usr/local/bin/proxy_ping_lib.bash proxy_libvirt_no_autostart
- name: /etc/init.d/libvirtd
shell: |
# now moved to /usr/local/bin/proxy_hourly.bash
[ ! -f /usr/local/bin/proxy_hourly.bash ] || /usr/local/bin/proxy_hourly.bash
exit 0
when: false
- name: "/etc/conf.d/libvirtd"
lineinfile:
dest: "/etc/{{ETC_CONF_D}}/libvirtd"
insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
regexp: "^rc_need"
line: "#rc_need"
when:
- ansible_virtualization_role|replace('NA', 'host') == 'host'
- ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
- "'libvirt' in BOX_HOSTVMS_FEATURES or BOX_WHONIX_PROXY_HOST != ''"
- block:
- name: /etc/rc.local
shell: |
[ -f /etc/rc.local ] && exit 0
cp -p /usr/local/etc/local.d/Whonix-Host.local /etc/rc.local
when:
- BOX_OS_FLAVOR|default('') == 'KickSecure'
- name: /usr/local/src/secbrowser.bash
shell: |
[ -f /usr/local/src/secbrowser.bash ] && exit 0
/usr/local/local/src/secbrowser.bash
when:
- BOX_OS_FLAVOR|default('') == 'KickSecure'
when:
- "ansible_virtualization_role|replace('NA', 'host') == 'host'"
- block:
- name: /run/tmp
shell: |
[ -d /run/tmp ] && exit 0
mkdir /run/tmp
chmod 1777 /run/tmp
# lib64 is not being made
mkdir -p /usr/local/lib/python3.11/site-packages \
/usr/local/lib64/python3.11/site-packages
when:
- external_out.rc|default(1) == 0
- external_out.stdout|default('') != ''
- name: proxy_libvirt_forward.bash
shell: |
ps ax | grep proxy_libvirt_forward.bash && exit 0
proxy_libvirt_forward.bash
when:
- external_out.rc|default(1) == 0
- external_out.stdout|default('') != ''
# box mode is tor or
become: yes
become_user: "{{ BOX_USER_NAME }}"
when:
- ansible_connection|default('') in ['libvirt_qemu']
- name: /etc/rc.local
shell: |
[ -f /etc/rc.local ] && exit 0
cp -p /usr/local/etc/local.d/Whonix-Vda.local /etc/rc.local
when:
- proxy_vda_cmdline_fact|default(1) == 0
- name: /etc/rc.local
shell: |
[ -f /etc/rc.local ] && exit 0
cp -p /usr/local/etc/local.d/Whonix-Gateway.local /etc/rc.local
when:
- BOX_OS_FLAVOR|default('') == 'WhonixGateway'
- name: /etc/rc.local Workstation
shell: |
[ -f /etc/rc.local ] && exit 0
cp -p /usr/local/etc/local.d/Whonix-Workstation.local /etc/rc.local
when:
- BOX_OS_FLAVOR|default('') == 'WhonixWorkstation'
when:
- ansible_virtualization_role|replace('NA', 'host') == 'guest'
- block:
- name: /usr/local/src/secbrowser.bash
shell: |
[ -f /usr/local/src/secbrowser.bash ] && exit 0
/local/src/secbrowser.bash
when:
- BOX_OS_FLAVOR|default('') == 'KickSecure' or proxy_vda_cmdline_fact|default(1) == 0